From personal experience I could get around a citrix session by either
using IE or if an application had a help option in the menu fire up this and
then browse to where you want to get to through file open the CHM help app
can sometimes make life hard. Or if you knew the locations of mmc regedit
gpupdate etc knowing the local admin account as well kind of helps. Keep
tabs on access control with the security log to see whos doing what.

The previous contract I was on hadn't switched on any auditing for who
initiated server shutdown. When you are trying to pull out a lengthy report
from AD and the server powers off for no reason that's just annoying.

> Hi everyone!
>
> I am looking for a good reference to secure a Citrix server to avoid a
> user to gain acces to the operating system. So far I have some ideas
> like restricting the execution of the cmd.exe and (maybe) explorer.exe
> from with a group policy in the domain.
>
> If you know about any document I can look at or have any experience
> about this that want to share I will be very thankful. Thanks in advance.

Which Citrix products are you interested in? Citrix solutions are quite
powerful and complex, therefore understanding and securing them is not an
easy task. Here are some resources about securely deploying Citrix XenApp,
Citrix XenServer, and Citrix Access Gateway: